This is an automated email from the git hooks/post-receive script. smcv pushed a commit to branch debian/master in repository ioquake3.
commit e9509e87643039d5a7419300ab3f36f5fa8bee62 Author: Simon McVittie <[email protected]> Date: Tue Mar 14 08:45:27 2017 +0000 Add patches from upstream fixing security vulnerabilities - refuse to load potentially auto-downloadable .pk3 files as ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers (mitigation: auto-downloading is off by default, and in Debian we do not dlopen libcurl anyway) - refuse to load default configuration file names from a .pk3 file - protect cl_renderer, cl_curllib, s_aldriver configuration variables so game code cannot set them - refuse to overwrite files other than *.txt with the dump console command - refuse to overwrite files other than *.cfg with the writeconfig console command --- debian/changelog | 12 ++++ ...-as-.dlls-and-don-t-load-user-config-file.patch | 76 ++++++++++++++++++++++ .../Don-t-open-.pk3-files-as-OpenAL-drivers.patch | 33 ++++++++++ ...file-writing-extension-checks-from-OpenJK.patch | 50 ++++++++++++++ debian/patches/series | 3 + 5 files changed, 174 insertions(+) diff --git a/debian/changelog b/debian/changelog index 6954d60..3bc3245 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,18 @@ ioquake3 (1.36+u20161101+dfsg1-2) UNRELEASED; urgency=medium * d/gbp.conf: switch branch to debian/stretch for updates during freeze + * d/patches: Add patches from upstream fixing security vulnerabilities + - refuse to load potentially auto-downloadable .pk3 files as + ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers + (mitigation: auto-downloading is off by default, and in Debian + we do not dlopen libcurl anyway) + - refuse to load default configuration file names from a .pk3 file + - protect cl_renderer, cl_curllib, s_aldriver configuration variables so + game code cannot set them + - refuse to overwrite files other than *.txt with the dump console + command + - refuse to overwrite files other than *.cfg with the writeconfig + console command -- Simon McVittie <[email protected]> Tue, 14 Mar 2017 08:32:13 +0000 diff --git a/debian/patches/security/Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-file.patch b/debian/patches/security/Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-file.patch new file mode 100644 index 0000000..0a6f374 --- /dev/null +++ b/debian/patches/security/Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-file.patch @@ -0,0 +1,76 @@ +From: SmileTheory <[email protected]> +Date: Mon, 13 Mar 2017 14:14:00 -0700 +Subject: Don't load .pk3s as .dlls, + and don't load user config files from .pk3s. + +Origin: upstream, 1.37, commit:376267d534476a875d8b9228149c4ee18b74a4fd +Bug-Debian: https://bugs.debian.org/857699 +--- + code/client/cl_main.c | 4 ++-- + code/qcommon/files.c | 6 ++++++ + code/sys/sys_main.c | 7 +++++++ + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/code/client/cl_main.c b/code/client/cl_main.c +index b68d4f9..31dd9ab 100644 +--- a/code/client/cl_main.c ++++ b/code/client/cl_main.c +@@ -3200,7 +3200,7 @@ void CL_InitRef( void ) { + Com_Printf( "----- Initializing Renderer ----\n" ); + + #ifdef USE_RENDERER_DLOPEN +- cl_renderer = Cvar_Get("cl_renderer", "opengl2", CVAR_ARCHIVE | CVAR_LATCH); ++ cl_renderer = Cvar_Get("cl_renderer", "opengl2", CVAR_ARCHIVE | CVAR_LATCH | CVAR_PROTECTED); + + Com_sprintf(dllName, sizeof(dllName), "renderer_%s_" ARCH_STRING DLL_EXT, cl_renderer->string); + +@@ -3551,7 +3551,7 @@ void CL_Init( void ) { + + cl_allowDownload = Cvar_Get ("cl_allowDownload", "0", CVAR_ARCHIVE); + #ifdef USE_CURL_DLOPEN +- cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE); ++ cl_cURLLib = Cvar_Get("cl_cURLLib", DEFAULT_CURL_LIB, CVAR_ARCHIVE | CVAR_PROTECTED); + #endif + + cl_conXOffset = Cvar_Get ("cl_conXOffset", "0", 0); +diff --git a/code/qcommon/files.c b/code/qcommon/files.c +index 92a9e40..27f5713 100644 +--- a/code/qcommon/files.c ++++ b/code/qcommon/files.c +@@ -1364,12 +1364,18 @@ long FS_FOpenFileRead(const char *filename, fileHandle_t *file, qboolean uniqueF + { + searchpath_t *search; + long len; ++ qboolean isLocalConfig; + + if(!fs_searchpaths) + Com_Error(ERR_FATAL, "Filesystem call made without initialization"); + ++ isLocalConfig = !strcmp(filename, "autoexec.cfg") || !strcmp(filename, Q3CONFIG_CFG); + for(search = fs_searchpaths; search; search = search->next) + { ++ // autoexec.cfg and q3config.cfg can only be loaded outside of pk3 files. ++ if (isLocalConfig && search->pack) ++ continue; ++ + len = FS_FOpenFileReadDir(filename, search, file, uniqueFILE, qfalse); + + if(file == NULL) +diff --git a/code/sys/sys_main.c b/code/sys/sys_main.c +index 2ccf302..6d7fe7b 100644 +--- a/code/sys/sys_main.c ++++ b/code/sys/sys_main.c +@@ -500,6 +500,13 @@ void *Sys_LoadDll(const char *name, qboolean useSystemLib) + { + void *dllhandle; + ++ // Don't load any DLLs that end with the pk3 extension ++ if (COM_CompareExtension(name, ".pk3")) ++ { ++ Com_Printf("Rejecting DLL named \"%s\"", name); ++ return NULL; ++ } ++ + if(useSystemLib) + Com_Printf("Trying to load \"%s\"...\n", name); + diff --git a/debian/patches/security/Don-t-open-.pk3-files-as-OpenAL-drivers.patch b/debian/patches/security/Don-t-open-.pk3-files-as-OpenAL-drivers.patch new file mode 100644 index 0000000..43d93ad --- /dev/null +++ b/debian/patches/security/Don-t-open-.pk3-files-as-OpenAL-drivers.patch @@ -0,0 +1,33 @@ +From: SmileTheory <[email protected]> +Date: Mon, 13 Mar 2017 20:28:37 -0700 +Subject: Don't open .pk3 files as OpenAL drivers. + +Origin: upstream, 1.37, commit:f61fe5f6a0419ef4a88d46a128052f2e8352e85d +Bug-Debian: https://bugs.debian.org/857699 +--- + code/client/snd_openal.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/code/client/snd_openal.c b/code/client/snd_openal.c +index 2a4fb0a..319ea37 100644 +--- a/code/client/snd_openal.c ++++ b/code/client/snd_openal.c +@@ -2512,11 +2512,17 @@ qboolean S_AL_Init( soundInterface_t *si ) + s_alRolloff = Cvar_Get( "s_alRolloff", "2", CVAR_CHEAT); + s_alGraceDistance = Cvar_Get("s_alGraceDistance", "512", CVAR_CHEAT); + +- s_alDriver = Cvar_Get( "s_alDriver", ALDRIVER_DEFAULT, CVAR_ARCHIVE | CVAR_LATCH ); ++ s_alDriver = Cvar_Get( "s_alDriver", ALDRIVER_DEFAULT, CVAR_ARCHIVE | CVAR_LATCH | CVAR_PROTECTED ); + + s_alInputDevice = Cvar_Get( "s_alInputDevice", "", CVAR_ARCHIVE | CVAR_LATCH ); + s_alDevice = Cvar_Get("s_alDevice", "", CVAR_ARCHIVE | CVAR_LATCH); + ++ if ( COM_CompareExtension( s_alDriver->string, ".pk3" ) ) ++ { ++ Com_Printf( "Rejecting DLL named \"%s\"", s_alDriver->string ); ++ return qfalse; ++ } ++ + // Load QAL + if( !QAL_Init( s_alDriver->string ) ) + { diff --git a/debian/patches/security/Merge-some-file-writing-extension-checks-from-OpenJK.patch b/debian/patches/security/Merge-some-file-writing-extension-checks-from-OpenJK.patch new file mode 100644 index 0000000..e735511 --- /dev/null +++ b/debian/patches/security/Merge-some-file-writing-extension-checks-from-OpenJK.patch @@ -0,0 +1,50 @@ +From: SmileTheory <[email protected]> +Date: Mon, 13 Mar 2017 20:44:47 -0700 +Subject: Merge some file writing extension checks from OpenJK. + +Thanks Ensiform. +https://github.com/JACoders/OpenJK/commit/05928a57f9e4aae15a3bd0 +https://github.com/JACoders/OpenJK/commit/ef124fd0fc48af164581176 + +Origin: upstream, 1.37, commit:b173ac05993f634a42be3d3535e1b158de0c3372 +Bug-Debian: https://bugs.debian.org/857699 +--- + code/client/cl_console.c | 6 ++++++ + code/qcommon/common.c | 7 +++++++ + 2 files changed, 13 insertions(+) + +diff --git a/code/client/cl_console.c b/code/client/cl_console.c +index 7d806e9..32ab87e 100644 +--- a/code/client/cl_console.c ++++ b/code/client/cl_console.c +@@ -191,6 +191,12 @@ void Con_Dump_f (void) + Q_strncpyz( filename, Cmd_Argv( 1 ), sizeof( filename ) ); + COM_DefaultExtension( filename, sizeof( filename ), ".txt" ); + ++ if (!COM_CompareExtension(filename, ".txt")) ++ { ++ Com_Printf("Con_Dump_f: Only the \".txt\" extension is supported by this command!\n"); ++ return; ++ } ++ + f = FS_FOpenFileWrite( filename ); + if (!f) + { +diff --git a/code/qcommon/common.c b/code/qcommon/common.c +index 02ada76..1bec2dc 100644 +--- a/code/qcommon/common.c ++++ b/code/qcommon/common.c +@@ -2975,6 +2975,13 @@ void Com_WriteConfig_f( void ) { + return; + } + ++ ++ if (!COM_CompareExtension(filename, ".cfg")) ++ { ++ Com_Printf("Com_WriteConfig_f: Only the \".cfg\" extension is supported by this command!\n"); ++ return; ++ } ++ + Q_strncpyz( filename, Cmd_Argv(1), sizeof( filename ) ); + COM_DefaultExtension( filename, sizeof( filename ), ".cfg" ); + Com_Printf( "Writing %s.\n", filename ); diff --git a/debian/patches/series b/debian/patches/series index de9c674..e442b3b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,6 @@ +security/Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-file.patch +security/Don-t-open-.pk3-files-as-OpenAL-drivers.patch +security/Merge-some-file-writing-extension-checks-from-OpenJK.patch debian/Add-sv_dorestart-which-can-be-set-by-game-code-to-re.patch debian/Let-servers-set-sv_fps-too.patch debian/Add-a-special-vmMagic-that-causes-equivalent-native-.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git _______________________________________________ Pkg-games-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits
